On Thu, 10 Aug 1995, John Cougar wrote:
> Hey Pat
> give away a copy of an organisations Security Policy?!? Not only must
> you be kidding, but also: fat chance. That'd be as negligent as giving
> away company trade secrets!
NOT! The security policy can be as simple as "all that is not
specifically permitted is forbidden." It's not the policy, it's how you
enforce it that _may_ need protection.
Consider a policy for passwords:
1) all login accounts must have passwords
2) all passwords must be at least 6 characters
3) all passwords must contain at least
a) 1 upper case alphabetic character
b) 1 lower case alphabetic character
c) 1 non-alphabetic character
What advantage does this give a potential intruder? What advantage does
it give the user? the administrator? (Rhetorical questions; solutions are
left to the student.)
Now if you reveal the enforcement mechanism and make the password file
available for public scrutiny, then you _may_ be giving something away,
but if all you reveal is the policy, you give away nothing.
> You can, however, get more than enough info. from the RFC 1244, available
> at any number of archives. Try an archie server near you someplace.
Here are a few Web sites of interest:
The last one, the National Institute of Standards and Technology, has a
separate topic for policies. It can also be reached by anonymous ftp.
> You'll also want copies of the DoD Orange Book,
... to prop up the corner of a wobbly monitor. The Orange Book
has absolutely nothing to say about writing policies - it's a set of
evaluation criteria for trusted systems. For the record, it is available,
for the asking (as is the whole Rainbow series), from:
INFOSEC Awareness Division
Ft. Geroge G. Meade, MD 20755-6000
+1 410 766 8729
(This latter information changes at unpredictable intervals. Security by
obscurity at the NSA?)
Electronic copies also exist in many on-line archives.
Unix Network Security Analyst
Management Systems Applications, Inc.